Advisories ยป MGASA-2016-0176

Updated qemu packages fix security vulnerabilities

Publication date: 18 May 2016
Modification date: 18 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8817 , CVE-2015-8818 , CVE-2016-1922 , CVE-2016-1981 , CVE-2016-2197 , CVE-2016-2198 , CVE-2016-2391 , CVE-2016-2392 , CVE-2016-2538 , CVE-2016-2841 , CVE-2016-2857 , CVE-2016-2858 , CVE-2016-3710 , CVE-2016-3712 , CVE-2016-4001 , CVE-2016-4002 , CVE-2016-4020 , CVE-2016-4037

Description

Updated qemu packages fix security vulnerabilities:

An out-of-bounds flaw was found in the QEMU emulator built using
'address_space_translate' to map an address to a MemoryRegionSection. The
flaw could occur while doing pci_dma_read/write calls, resulting in an
out-of-bounds read-write access error. A privileged user inside a guest could
use this flaw to crash the guest instance (denial of service) (CVE-2015-8817,
CVE-2015-8818).

A NULL-pointer dereference flaw was found in the QEMU emulator built with TPR
optimization for 32-bit Windows guests support. The flaw occurs when doing
I/O-port write operations from the HMP interface. The 'current_cpu' value
remains null because it is not called from the cpu_exec() loop, and
dereferencing it results in the flaw. An attacker with access to the HMP
interface could use this flaw to crash the QEMU instance (denial of service)
(CVE-2016-1922).

It was discovered that QEMU incorrectly handled the e1000 device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service (CVE-2016-1981).

Zuozhi Fzz discovered that QEMU incorrectly handled IDE AHCI emulation. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service (CVE-2016-2197).

Zuozhi Fzz discovered that QEMU incorrectly handled USB EHCI emulation. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service (CVE-2016-2198).

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service (CVE-2016-2391).

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service (CVE-2016-2392).

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly leak
host memory bytes (CVE-2016-2538).

Hongke Yang discovered that QEMU incorrectly handled NE2000 emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service (CVE-2016-2841).

Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly leak host memory bytes
(CVE-2016-2857).

It was discovered that QEMU incorrectly handled the PRNG back-end support.
An attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service (CVE-2016-2858).

Wei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access
in the VGA module. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile (CVE-2016-3710).

Zuozhi Fzz discovered that QEMU incorrectly handled access in the VGA
module. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile (CVE-2016-3712).

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary
Micro Stellaris ethernet controller emulation. A remote attacker could use
this issue to cause QEMU to crash, resulting in a denial of service
(CVE-2016-4001).

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet
controller emulation. A remote attacker could use this issue to cause QEMU
to crash, resulting in a denial of service (CVE-2016-4002).

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority
Register(TPR). A privileged attacker inside the guest could use this issue
to possibly leak host memory bytes (CVE-2016-4020).

Du Shaobo discovered that QEMU incorrectly handled USB EHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service
(CVE-2016-4037).

The qemu package has been updated to version 2.4.1 and patched to fix these
issues.

References

SRPMS

5/core